Bug 2182565 (CVE-2023-0466) - CVE-2023-0466 openssl: Certificate policy check not enabled
Summary: CVE-2023-0466 openssl: Certificate policy check not enabled
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-0466
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2182602 2182576 2182577 2182578 2182579 2182580 2182581 2182582 2182583 2182584 2182601 2182603 2182604 2182605 2182606 2182607 2182608 2182609 2182610 2182611 2182612 2187431
Blocks: 2182416
TreeView+ depends on / blocked
 
Reported: 2023-03-29 03:19 UTC by Sandipan Roy
Modified: 2023-12-07 13:55 UTC (History)
55 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenSSL. The X509_VERIFY_PARAM_add0_policy() function is documented to enable the certificate policy check when doing certificate verification implicitly. However, implementing the function does not enable the check, allowing certificates with invalid or incorrect policies to pass the certificate verification. Suddenly enabling the policy check could break existing deployments, so it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. The applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.
Clone Of:
Environment:
Last Closed: 2023-06-22 03:27:50 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3722 0 None None None 2023-06-21 14:39:01 UTC
Red Hat Product Errata RHSA-2023:7622 0 None None None 2023-12-07 12:18:04 UTC
Red Hat Product Errata RHSA-2023:7623 0 None None None 2023-12-07 12:37:24 UTC
Red Hat Product Errata RHSA-2023:7625 0 None None None 2023-12-07 13:49:13 UTC
Red Hat Product Errata RHSA-2023:7626 0 None None None 2023-12-07 13:55:31 UTC

Description Sandipan Roy 2023-03-29 03:19:26 UTC 
The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification. As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function. Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument. Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=73398dea26de9899fb4baa94098ad0a61f435c72
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=51e8a84ce742db0f6c70510d0159dad8f7825908
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=fc814a30fc4f0bc54fcea7d9a7462f5457aab061
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a
https://www.openssl.org/news/secadv/20230328.txt
Comment 2 TEJ RATHI 2023-03-29 04:12:48 UTC 
Created edk2 tracking bugs for this issue:

Affects: fedora-36 [bug 2182603]
Affects: fedora-37 [bug 2182608]


Created mingw-openssl tracking bugs for this issue:

Affects: fedora-36 [bug 2182604]
Affects: fedora-37 [bug 2182609]


Created openssl tracking bugs for this issue:

Affects: fedora-36 [bug 2182605]
Affects: fedora-37 [bug 2182610]


Created openssl1.1 tracking bugs for this issue:

Affects: fedora-36 [bug 2182606]
Affects: fedora-37 [bug 2182611]


Created openssl11 tracking bugs for this issue:

Affects: epel-7 [bug 2182601]


Created openssl3 tracking bugs for this issue:

Affects: epel-8 [bug 2182602]


Created shim tracking bugs for this issue:

Affects: fedora-36 [bug 2182607]
Affects: fedora-37 [bug 2182612]
Comment 5 errata-xmlrpc 2023-06-21 14:38:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:3722 https://access.redhat.com/errata/RHSA-2023:3722
Comment 6 Product Security DevOps Team 2023-06-22 03:27:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0466
Comment 7 errata-xmlrpc 2023-12-07 12:17:59 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:7622 https://access.redhat.com/errata/RHSA-2023:7622
Comment 8 errata-xmlrpc 2023-12-07 12:37:18 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2023:7623 https://access.redhat.com/errata/RHSA-2023:7623
Comment 9 errata-xmlrpc 2023-12-07 13:49:08 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2023:7625 https://access.redhat.com/errata/RHSA-2023:7625
Comment 10 errata-xmlrpc 2023-12-07 13:55:25 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2023:7626 https://access.redhat.com/errata/RHSA-2023:7626
Note You need to log in before you can comment on or make changes to this bug.